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Abstract 

An algorithm for computing the nonlinearity of a Boolean function from its algebraic normal form (ANF) is proposed. By 
generalizing the expression of the weight of a Boolean function in terms of its ANF coefficients, a formulation of the distances to 
linear functions is obtained. The special structure of these distances can be exploited to reduce the task of nonlinearity computation 
to solving an associated binary integer programming problem. The proposed algorithm can be used in cases where applying the 
Fast Walsh transform is infeasible, typically when the number of input variables exceeds 40. 
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I. Introduction 

Boolean functions have various applications in cryptology, coding theory, digital circuit theory, etc. (TJ. Among the properties 
associated with a Boolean function, nonlinearity is an important criterion regarding the security point of view. Nonlinearity is 
defined as the minimum distance of a Boolean function to the set of affine functions and functions used in secrecy systems 
are expected to have high nonlinearity in order to resist certain cryptanalytic attacks. This makes the nonlinearity computation 
a necessary task in order to prove that the claimed level of security is achieved. 

Boolean functions have several representations and for each representation, either there is a direct method to compute the 
nonlinearity (e.g. Walsh spectrum), or a transformation to a representation of this type is available. Two common ways of 
representing Boolean functions are truth table and algebraic normal form (ANF). Truth table is the list of all output values of a 
Boolean function in a predetermined order. Computing nonlinearity from the truth table can be done by Fast Walsh transform 
(FWT), which constructs the Walsh spectrum of the function and the entry with the maximum absolute value in the spectrum 
determines nonlinearity. As the truth table of an ?i-variable Boolean function consists of 2™ entries, the cost of storing the 
truth table increases exponentially in n. ANF is a preferred representation either when it is impractical to store the truth table, 
or it is more efficient and/or secure to calculate the output of the Boolean function from an expression of the input variables. 

Unless the ANF of a Boolean function belongs to a class that reveals its nonlinearity (e.g. affine functions), the task of 
computing the nonlinearity from the ANF can be performed by constructing the truth table from the ANF by Fast Mobius 
transform and then applying FWT on it. This process has a computational complexity of 0(n2 n ) both to transform the ANF 
to truth table and to apply FWT. Clearly, when n gets larger, say n > 40, considering the computation and memory resources 
of current computers, applying these transformations becomes infeasible. 

Expression of the weight of a Boolean function in terms of its ANF coefficients is introduced by Carlet and Guillot [5|, 
which allows one to compute the weight from the ANF with a complexity of 0(2 P ) operations, if the Boolean function consists 
of p monomials. Two related works utilizing this expression propose more efficient methods for Walsh coefficient computation 
and weight computation from the ANF 0, 2). I n this work, by investigating the distance of a Boolean function to the set 
of affine functions in terms of ANF coefficients, an algorithm to compute the nonlinearity for Boolean functions with high 
number of inputs is devised. 

This paper is organized as follows: Section 2 gives basic definitions about Boolean functions and introduces the notation used 
in the paper. Section 3 investigates the expression of the distance to the set of affine functions in terms of ANF coefficients by 
introducing the Linear Distance Matrix. In Section 4, the algorithm for computing the nonlinearity by exploiting the structure 
of this matrix is described, with a discussion on the complexity of the algorithm, techniques for performance improvement 
and implementation results. Section 5 gives the conclusion. 

II. Preliminaries 

Let F2 = {0,1} be the finite field with two elements and F 2 l be the n-dimensional vector space over F2. The addition 
operation in F2 and F 2 l will be denoted by 0, whereas + will be used for integer addition. Binary logical operators and 
and or will be denoted by A and V, respectively. Unary operator -1 will stand for the bitwise complement of a vector. Inner 
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product of two vectors x,i/eF5 is (x, y) = X\y\ • • • © x n y n . Support of a vector x = (x\, . . . , x n ) € F 2 is defined as 
supp(x) = {i | Xi 7^ 0}. Weight wt(x) of a vector is the number of its non-zero components, i.e., wt{x) = \supp(x)\. 

Elements of F 2 can be identified with integers modulo 2™ by associating the vector x = (xi, . . . , x n ) e F?? with the integer 

x=J2 x t 2 n -\ 

i=l 

An n-variable Boolean function / : F 2 — > F 2 specifies a mapping from the n-dimensional vector space to F 2 . The sequence 
Tf = (/(0), f(l), ■ ■ ■ , f(2 n — 1)) is called the truth table of /. The support (resp. weight) of / is the support (resp. weight) 
of its truth table, hence the weight of the function is wt(f) = \supp(f)\ = \{x <G F 2 | f(x) = 1}\. / is called balanced if 
wt(f) = 2 n ~ 1 . A Boolean function can be represented as a multivariate polynomial called the algebraic normal form (ANF) 
such that 

f{x\, ...,x n )= (J) a u x u (1) 

where x u — x^x^ 2 ■ ■■x u n n is a monomial composed of the variables for which Ui = 1 and a u G F 2 is called the ANF 
coefficient of x u . Degree of the monomial x u is wt(u) and the highest degree monomial with the non-zero ANF coefficient 
determines the degree of a function. 

Throughout the text, for the sake of simplicity, the ANF coefficients of a Boolean function will be denoted by <2j for 
i G {0, 1, • • • , 2™ — 1} being an integer. In this notation, is the coefficient of the monomial x l . For example, cto, Oi, a 2 , 03 
and a 2 n_i are the ANF coefficients of the monomials 1, x n , x n -i, x n -\x n -i and x\x 2 ■ ■ ■ x n , respectively. 

Distance between two functions is measured with the number of truth table entries they differ by, i.e., 

d(f,9) - K* € F, 1 I f{x)^ 9 {x)}\=wt{f@g). 
For w € F 2 and c e F 2 , Boolean functions of the form 

f(x) = (w, x) © c 

are called affine functions, and in particular when c = they are called linear functions. l w and l w = l w © 1 will be used to 
denote linear functions and their complements, respectively. The set of affine functions is shown by A n . Nonlinearity Nf of 
a Boolean function / is the minimum of the distances between / and the set of affine functions, i.e., 

Nt — min d(f, g). 
geA n 

For two vectors x, y e F 2 , if supp(x) C supp(y), x is called a sub-vector of y, and y is called a super-vector of x, which 
will be denoted by x -< y or y > x. The set of sub-vectors of a vector is denoted by S_{x) = {y e F 2 | y ^ x}, and the set of 
super-vectors of a vector is denoted by S(x) = {y £ F 2 | y >z x}. The following observations follow from the definition of 
sub-vector and super-vector: 



\S{x)\ = 2 wt ^ (2) 
\S(x)\ = 2 n ~ wt ^ (3) 

III. Distance to Linear Functions 
Any integer valued function G : F 2 n -> Z defined on binary m-tuples can be represented by 

G(xi,...,x m ) = Xjx 1 (4) 

7C{1,-.. : m} 

where Xi G F 2 for 1 < i < m and A/ € Z is the coefficient of the product a; 7 — x^ . . .Xi d for / = ■ ■ ■ ,id}- Here, 
Xi E F 2 implies xf = Xi, therefore all the terms x 1 are distinct products of input variables and the function has 2 m terms. 
For the functions of interest to this study, G maps the ANF coefficients of an n-variable Boolean function to the distance to a 
particular linear function, hence the number of input variables is m — 2". When m is large, it is not possible to list all of the 
ANF coefficients of a Boolean function. Instead, the support of the ANF is supplied, which is assumed to be relatively small 
sized. For an input x = (x\, . . . , x m ) and supp(x) = ■ ■ ■ , i p }, the output of the function will be the sum 

G(x) = Xj 

JC{ii,-.. ,i p } 

consisting of 2 P coefficients Xj, associated with all nonzero products x 1 . Using this approach, the function G can be evaluated 
in 0(2 P ) operations if the complexity of computing each A/ is negligible. In the following part of this section, it will be 
shown that the coefficients of the functions mapping the ANF coefficients to the weight and to the distance to a particular 
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linear function can be computed in a very simple way. On the contrary, this is not the case for nonlinearity. This will lead to 
constructing a method to compute the nonlinearity without trying to compute the coefficients of the function, but by exploiting 
the properties of the previously mentioned functions' coefficients that could be easily computable. 

The function mapping the ANF coefficients to the weight of a Boolean function was introduced in [5|, which will be called 
the weight function. In order to render the remaining of the text more comprehensible, derivation of the coefficients of this 
function is going to be explained. 

The output of a Boolean function can be calculated in terms of its ANF coefficients as follows: 

/W = 0a u . (5) 

Table U shows the truth table entries of 3-variable Boolean functions in terms of ANF coefficients. When an ANF coefficient 
at contributes to the output of a Boolean function at a point, it is said that appears in that truth table entry. The sum of 
the truth table entries gives the weight of the function. Weight can be expressed as a function over the integers by replacing 
the addition operation in F 2 in each truth table entry with integer addition operation. F 2 addition can be converted to addition 
over the integers by a well known formula, generalizing the fact that a©6 = a + 6 — 2ab: 



i—l k—1 l<ii <---<ifc<m 

This formula states that the expression of addition over the integers consists of all combinations of products of terms, with 
a leading coefficient related to the number of terms in the product, such as all degree two terms having the coefficient —2 and 
all degree three terms having the coefficient 4, etc. 

Proposition 3.1: For an n-variable Boolean function, ANF coefficient a u contributes to the output in 2 n ~ wt ^ points. 
Proof: From (|5j, a u contributes to the output of the function at a point x if u < x. This means that a u contributes to the 
function output at points S(u), whose size is equivalent to 2 n ~ wt ^ by |3j. ■ 

Proposition 3.2: For each set A = {a Ul ,--- ,a Uk } of ANF coefficients, there exists a coefficient a v with the property 

supp(v) = |J supp(ui), such that the truth table entries a v appears are exactly the same as the truth table entries all the 

i<i<fe 

coefficients in A appear together. Such a coefficient a v will be called the representative coefficient of [] a Ui . 

l<i<k 

Proof: From |5J, each a Ui appears in truth table entries S(v,i). If y is a truth table entry such that all a Ui 's appear 
together then (J supp(ui) C supp(y). Call the minimum weight vector satisfying this property v, the case where the set 

l<i<fe 

equality occurs. Then, by definition of a super-vector, the set S(v) also has the same property of covering the supports of 
u/s, and these are the points the ANF coefficient a v appears in the truth table. Therefore, if vector v is chosen such that 
supp(v) = (J supp(ui), a v appears at exactly the same truth table entries as {a Ul , ■ ■ ■ , a Uk } appear together. ■ 

l<i<k 

Combining Proposition 3.1 and ([6j, one obtains the weight function of an n-variable Boolean function as follows: 



F(a Q ,...,a 2 ™-i) = 22 ^ 

IC{0,...,2"-1} 

where A/ G Z is called the weight coefficient of the product a 1 — J\ a>i- If I — 0, the value of \j is found to be zero. For a 

is/ 

non-empty set I = {ii, ■ ■ ■ ,ik}, the value of A/ is determined by two factors: 

A/ = dim, (8) 

di = (-2) k ~\ (9) 

?i 7 = 2 n - wt( - llV - Vlk) . (10) 

The value of di comes from (Jfrjl and nj is the number of times the product a 1 occurs in the truth table entries when each 



entry is expressed with addition over the integers. The value of nj is calculated by Proposition 3.2 which is related to the 
number of distinct input variables appearing in the monomials of contributing ANF coefficients. 

Example 3.3: Let n — 3 and consider the weight coefficient of a\a 2 in the weight function. After the conversion of binary 
addition to integer addition, a^a-i appears in a truth table entry if and only if both of a\ and a 2 are present at that entry. 



According to Proposition 3.2 03 appears as many times as a\a 2 appears in the truth table since 1 V 2 = 3, and the entries 
they appear are exactly the same, which are the fourth and the last rows of Table [I] Hence, by Proposition |3.1| a\a 2 appears 
2 3_wt ( 3 ) = 2 times and since a\a 2 consists of two terms, each one of these terms will have the constant (— 2) 2_1 = —2 
arising from the conversion of addition (|6j. As a result, the coefficient of a\a 2 becomes (—2). 2 = —4. 
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TABLE I 

Truth Table in terms of ANF Coefficients. 
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A. The Linear Distance Matrix 

Now, the method of obtaining the coefficients of the function which outputs the distance of a Boolean function to a linear 
function, in terms of ANF coefficients will be described. Essentially, the distance between a Boolean function / and a linear 
function l w is equivalent to wt(f © l w ). So, an investigation of how the coefficients in the weight function change when the 
truth table of / is merged with a linear function is necessary. The weight function when computed with new coefficients will 
be called the distance function, producing the output d(f,l w ). This is a generalization of the weight function defined as 

F w (a Q ,...,a 2 n-i)= X ™ aI < n ) 

JC{0,...,2"-1} 

where w € F§ specifies which linear function the distance is measured, A}" G Z is the distance coefficient of the product a 1 . 



is equivalent to |7j and outputs the weight. The following proposition states how the coefficients A} u are 



When w = 0, \U_ 
obtained. 

Proposition 3.4: Let Aj be the weight coefficient of a 1 in the weight function of an n-variable Boolean function / and let 
a v be the representative ANF coefficient of a 1 . The distance coefficient Xf of a 1 in the distance function F w for a nonzero 

w £ ¥ 2 l is 



Xf 




if I = 0, 

if I ^ and w ^ v and wt{w) is even, 
if I 7^ and w <v and wt(w) is odd, 

otherwise. 



Proof: Adding a nonzero linear function l w to / complements the truth table of / at points. At these points, the 
new value of the function becomes 1 f(x), which is equivalent to 1 — f(x) in integer arithmetic. Considering the integer 
valued expression of the truth table entries in terms of ANF coefficients, this corresponds to negating the terms and producing 
a constant value of 1 that is independent of the ANF coefficients. This proves Xf = 2 n ~ 1 for 7 = 0. 

In order to find out the values of other coefficients, at how many points supp(l w ) coincides with the truth table entries the 
product a 1 appears must be calculated. If all (resp. half, none) of the points where a 1 appears in the truth table coincide with 
supp(l w ), then Xf will be —A/ (resp. 0, Xj). 

Linear function l w identified by the vector w £ has supp(w) terms and takes on the value 1 whenever an odd sized 
combination of its terms are added. Namely, 

supp(l w ) — {x £ ¥2 I #{supp(x) n supp(w)} is odd.}. (12) 

This also means that, if x £ supp(l w ) then supp(x) = I U J such that I C supp(w) with |7| = 1 (mod 2) and J C 
{1, . . . ,n} \ supp(w), i.e., the components which are not in the support of w can be chosen freely since they do not contribute 
to the output of l w . On the other hand, if a v is the representative ANF coefficient of the product a 1 , the truth table entries 
where a 1 appears is S{v) by ((5}. 

• Assume w di v. For a vector x £ ¥2 to be both in supp(l w ) and S(v), supp(w) C supp(x) is necessary. Otherwise, if 
any component j £ supp(w) of x is taken to be zero, x will not be in S(v), because j £ supp(w) and w ^ v implies 
j £ supp(v), which means the j th component will always be 1 in S(v). Hence, intersection occurs at the points S(w), 
i.e., all the terms in l w must be chosen. If wt(w) is even, the linear function l w gets the value zero at these points and the 
intersection becomes the empty set, proving Xf — Xj. Following the same argument, if wt(w) is odd and all the terms 
in l w are chosen, l w attains the value 1 at the points S(w). Since w < v implies S(v) C S(w), all the points the term a v 
appears in the truth table coincide with supp(l w ) and the terms at these points will be negated due to complementation, 
leading to Xf — —A/. 
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TABLE II 

Linear Distance Matrix for n = 3. 
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Assume w ^ v. This implies yl = supp(w) \ supp(v) ^ 0. Let x <E F£ such that supp(x) = supp(w) fl supp(v). Then 
it is easy to show that half of the vectors in have even weight and half of them have odd weight. Because for any 
2/i € with |supp(yi) fl A | = 1 (mod 2) a corresponding vector j/2 such that \supp(y2) l~l A| = (mod 2) can be 
found. A consequence of this is the output of the linear function l w at points y\ and y% are complements of each other. 
This means that half of the vectors in S(v) are also in supp(l w ) and half of them are not. Therefore, in the summation 
of truth table entries at positions S(v), terms cancel each other making Xf = 0. 



Now consider all 2" functions F w which map the ANF coefficients of a Boolean function / to the distance d(f,l w ), with 
the attention being on the distance coefficients of a 1 with |J| = 1, i.e., distance coefficients of dj for i £ {0, • • • , 2™ — 1}. 
According to (3.2 1, for any product a 1 with |/| > 1, a representative coefficient from this set can be used. The 2™ x 2" matrix 
whose i th row consists of such coefficients A} will be called the Linear Distance Matrix (LDM) of order n, denoted by M n . 
In view of i 



and Proposition 3.4 each entry of LDM can be defined as follows: 



M n ■ 



0. 



if i r< j, 
otherwise. 



(13) 



Table [IT] shows the LDM of order 3. The entries of n th order LDM are closely related to the Sylvester-Hadamard matrix 



H n , which is defined as 



H = [1], 
1 



H 



1 



1 

-1 



for n > 1, 



(14) 
(15) 



where <£> refers to the Kronecker product of matrices. Each row (or column) of H n represents the truth table of a linear 
function, whose entries are transformed from (0,1) to (1,-1). Table III shows H3 where only the signs of the entries are 
shown. '+' and '-' denote the points the function takes on the values and 1 respectively. 

Proposition 3.5: M™ can be obtained by adding the entries of the i th row of H n at columns S(j): 

Proof: Since the i row of H n represents the truth table of ij, the distance coefficient of a v in the distance function can 
be calculated by adding the '+' and '-' values of H n in the i th row at columns S(v). This gives how many times the sign of 
a v will be positive and negative in the integer valued expression of truth table entries when the linear function lj is added to 
a Boolean function. This sum corresponds to the distance coefficient of a v . ■ 

LDM can also be expressed with the following recursive structure: 

M n,0 

1 



M n.n 



1], 

2 


M r ' 



-1 



AT 



for 1 < i < n, 



(16) 
(17) 
(18) 



This recursive structure can be explained with Sylvester-Hadamard matrices. As stated in Proposition 3.5 the entries of M n 
correspond to the sum of particular entries of H n . When the dimension is extended from n to n + 1, H n grows according to 
(14 1. As a result of the way H n is duplicated to produce H n +i, the values of M n are doubled for ANF coefficients that do 
not contain the newly introduced variable, which corresponds to the upper left quarter of M n+1 . The upper right quarter of 
M n+1 will be equal to M n as this part of H n+ \ is equal to H n . The lower right quarter will be — M n since the entries of 
H n+ i at this part have opposite signs with H n , and the lower left quarter will be the matrix consisting of all zeros because 
for each S(v), half of the entries will be positive and the other half will be negative. 

The first row of the LDM contains the distance coefficients for calculating the distance to the linear function Iq = 0, which 
also corresponds to the weight. The coefficients in this row are also equivalent to the weight coefficients of the weight function. 
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TABLE III 

H 3 : Sylvester-Hadamard Matrix of order three. 
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The second and third rows contain the distance coefficients for calculating the distances to the linear functions l\ = x n and 
h = Xn-i respectively, and so on. The first row of the LDM will often be an exceptional case for the rest of the discussions 
in this chapter because once the weight of the function is calculated in the first step of the nonlinearity computation algorithm 
which is going to be explained in the next section, this row will no longer be needed. Some properties of the LDM derived 
from ( fT3| are as follows: 

Remark 3.6: Entries in the j th column take on the values from the set {0, ±2'°}, where k — n — wt(j). 



Except the first and the last columns of the LDM, all three values mentioned in Remark 3.6 appear in a column. In the first 
column, there is only one nonzero entry which is positive and all the other entries are zero. In the last column, there is no 
entry with a zero value. 

Remark 3.7: Nonzero entries of the j th column are at positions x where x = S_(j). 

Remark 3.8: Nonzero entries of the i th row are at positions x where x — S(i). 

Remark 3.9: Nonzero entries of the i th row are positive if wt(i) is even, and negative if wt(i) is odd. 
Remark 3.10: Let ji and ji be two column indices in the LDM. Then the following holds: 

• If ji ^ j2 then Mij x ^ implies Mjj 2 7^ 0. 

• If supp(ji) H supp(j2) = then at least one of Mi,j 1 and Mjj 2 is zero, except for i = 0. 

Remark 3.11: Zero entries of the j th column are at positions x where supp(x) D ({1, • • • ,n}\ supp(j)) 7^ 0. 
Proposition 3.12: If the i th row of the LDM is used to measure the distance to the linear function h, negating each entry 
of the i th row is used to measure the distance to the affine function U. 

Proof: Let the distance of a Boolean function to a nonzero linear function be expressed as 

d(f,l l ) = 2 n - 1 + a 

where a is the sum of the distance coefficients except the constant coefficient. The value of a also corresponds to the sum of 
certain entries of the i th row of the LDM, with each entry being multiplied with a constant depending on the Boolean function 
/, which will be explained in the next subsection. Regardless of this multiplication, if the distance coefficients in the i th row of 
the LDM are negated, the new sum becomes 2" _1 — a, and this is equivalent to d(f, U © 1), since d(f, U © 1) = 2™ — d(f, U). 



In view of Proposition 3.12 all entries of the LDM can be considered as absolute values. This results in computing the 



distance to the linear function l w if wt(w) is even and to the affine function l w if wt{w) is odd. 
B. Combining Coefficients 

A Boolean function consisting of p monomials has 2 P distance coefficients associated with the nonzero products of ANF 
coefficients, which can be computed according to ([8]). Computing the weight of the function requires all these coefficients to 
be added whereas the distance to a particular linear function can be obtained by adding a subset of these coefficients plus a 
constant value of 2" _1 . Computing the distance coefficients by processing all combinations of p monomials has a computational 
complexity of 0(2 P ) operations, and this can be done at most for p < 40 in practice. Now, a new method will be introduced 
which combines the related distance coefficients, with the aim of reducing the number coefficients and avoiding the processing 
of 2 P monomial combinations. 

Let a 1 and a be two terms in the distance function such that (J supp(i) — [J supp(j), that is, the input variables appearing 

iel je.J 

in ANF coefficients of a 1 are the same as input variables appearing in ANF coefficients of a J . This not only makes n.j = nj 
acco rding to ( fT0] i, but also specifies that these terms appear in exactly the same truth table entries according to Proposition 



3.2 Hence, in the distance function (JTTJ, for all values of w, the distance coefficients of a 1 and a J will behave the same with 



respect to Proposition 3.4 The distance coefficients of these terms can be collected under the distance coefficient of the term 



dfc such that etfc is the representative ANF coefficient of both a 1 and a' 7 . Since nj = nj = jik, it is |/| and \ J\ that 
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distinguishes the distance coefficients A/ and Aj from Xk- From (j9jl, it follows that A/ = (— 2)I / I~ 1 A#- and A,/ = (— 2)' J l~ 1 A^-. 
The distance coefficients of the terms which have the same representative ANF coefficients can be collected under a single 
distance coefficient, called the representative distance coefficient, that is, the distance coefficient of the term belonging to the 
representative ANF coefficient. When this is done, the number of times a representative distance coefficient should be added 
will be called the combined coefficient, and when multiplied with the value of the representative distance coefficient, will be 
called the combined distance coefficient. The combined coefficients of the distance function can be computed from the ANF 
coefficients of a Boolean function as follows: 

c u = yi (- 2 ) fc_i n < i9 > 

u— uiV ■■■Vuk l<.i<.k 

Example 3.13: Let the support of the ANF coefficients for a Boolean function be {oi, 02, 03}. Then the distance coefficients 
corresponding to the nonzero products 

{1,01,02, 03, ai<i2,aia3, 0,20,3, 010203} 



are 



{A, Ai, A2, A 3 , Ai 2) Ai )3 , A2,3, ^1,2,3} 



where A is the constant term, Ai is the distance coefficient of ai, A12 is the distance coefficient of 0102, and so on. Since 
Ai,2 = ^1,3 = A2.3 = — 2A3 and Ai,2,3 = 4A3 from (|9ji and (10 1, these distance coefficients can be combined under the 



representative distance coefficient A3, producing the combined distance coefficients {A, Ai, A2, — A3}. Here, the corresponding 
combined coefficients are {1,1,1,-1}. 

Algorithm [T] calculates the combined coefficients from the ANF by processing each monomial one by one. The input to the 
algorithm is a list of monomials of the Boolean function called MonList. The monomials are represented by x 1 — TJ %i 

where I C {1, • • • , n}. The output of the algorithm is a list of combined coefficients called Coef List consisting of elements 
of the form Cix 1 where Ci 6 Z is the combined coefficient of the monomial x 1 . When a new monomial x 1 is added to 
the function, the product of each existing combined coefficients and the new monomial is processed and the newly produced 
coefficients are added to a temporary list named NewList. For an existing coefficient Cjx J , if it is the case that I C J, then 
the product of these two coefficients will be —2CjX J , when added will negate the original coefficient. The products of terms 



whose ui part as specified in (lOi will reside in the new monomial x 1 are collected under the variable S. These terms will 
be added to the combined coefficients at the end of processing that monomial. The last case is the general case where the 
coefficient of the term produced by the product of two monomials are added to the NewList. At the end of processing the 
combined coefficients of the previous step, all the newly produced coefficients are added to CoefList. Addition of items to 
lists is denoted by + operator. When an entry CiX 1 is to be added to a coefficient list, if there already exists an element CjX 1 , 
then the coefficient Cix 1 is updated as (Ci + C^x 1 . 

The sum of all combined distance coefficients will give the weight of the function. In order to compute the distance to a 
nonzero linear function l w , only a subset of these coefficients need to be added, which is determined according to whether the 
vector associated with the combined distance coefficient is contained in S(w). Also, since A™ = 2™~ 1 for w 7^ and 7 = 0, 
a constant value of 2™~ 1 should be added. 

Since the distance to linear functions is related to the Walsh coefficients of a Boolean function, the sum of the combined 
distance coefficients can be expressed in terms of Walsh coefficients. For i.e., for a nonzero linear function l w , 

W f (w) = 2 n -2d{f,l w ), (20) 

W f (w) = 2 n - 2(2 n ~ 1 + a w ), (21) 
W f (w) 

Q-w = ^ — (22) 



where a w is the sum of the combined distance coefficients, excluding the constant coefficient 2" _1 . From ( |22) , it can be seen 
that if the constant term 2™~ 1 is not added, the distance function ( fTT| outputs — . Because the nonlinearity of a Boolean 
function depends on the maximum absolute value of the Walsh spectrum, being able to compute the maximum absolute value 
of the sum of the distance coefficients without adding the constant term is also sufficient to find out the nonlinearity. 



IV. Computing Nonlinearity 

The nonlinearity computation algorithm consists of two phases. In the first phase, combined distance coefficients are calculated 
according to Algorithm [T] from the given ANF coefficients. Once this phase is completed, the distance to any linear function 
can be obtained by adding a subset of these coefficients, i.e., by adding the coefficients corresponding to columns S(w) in the 
w th row if the distance to the linear function l w is to be calculated. The nonlinearity computation on the other hand, requires 
all the distances to the linear functions to be calculated and the one with the minimum value being identified, which cannot be 
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Algorithm 1 Calculate combined coefficients 
l: procedure CalcCobf(M onList) 



2: CoefList <- 

3: for all x 1 e M onList do 

4: NewList <- 

5: S«- 1 

6: for all CjX J e CoefList do 

7: if I C J then 

8: Cj < Cj 

9: else if J c / then 

10: S ^ S - 2Cj 

ii: else 

12: NewList «- NewList + (-2Cj2; /UJ ) 

13: end if 

14: end for 

15: for all C k x K e NewList do 

16: CoefList «- CoefList + CkX K 

17: end for 

18: CoefList «- CoefList + Sx 1 

19: end for 

20: return CoefList 



21: end procedure 



done in practice if n is too high. After the combined distance coefficients for a Boolean function are calculated, the distance 
to any linear function can be represented of the form 

F(h,--- ,b k ) = ^ (23) 
i<i<fc 

where b{ £ ¥2 and fa <E Z is the combined distance coefficient associated with &j. Each 6, in this function determines whether 
a zero or a nonzero entry is chosen from the corresponding column of the LDM. Although there are 2 k possible inputs to this 
function, only some of the fc-bit inputs actually correspond to a distance to a linear function. By enumerating all such fc-bit 
inputs, one obtains the set of all distinct distances. The task of computing the nonlinearity then corresponds to finding the 
minimum of these values. Note, however, as explained in the previous section, omitting the addition of the constant coefficient 
when calculating the distance to the nonzero linear functions, one gets the negative half value of the Walsh coefficient, and 
this constant coefficient is assumed to be excluded in ( |23) l. With this slight modification, it becomes the maximum absolute 
value of ( |23] l to be found, instead of the minimum and maximum values, had the constant coefficient been added. 

In the second phase of the nonlinearity computation algorithm, the maximum absolute value of the distance function ( |23j ) 
is searched, which determines the nonlinearity. This problem also corresponds to a binary integer programming problem. The 
set of 2 k possible fc-bit input vectors will be classified as feasible or infeasible according to whether they represent a distance 
to a linear function or not. The feasibility checking of inputs can be performed with Algorithm [2] and Algorithm [3] which 
determine whether a particular zero/nonzero choice of values in certain columns is possible in any of the rows of the LDM. 
By enumerating all possible distances to the set of linear functions, the minimum of these can be taken as the nonlinearity of 
the Boolean function. 

A common approach in solving integer programming problems is to utilize the tree structure. The set of feasible inputs to 



the function (23 1 can be shown in a tree with the input variables bi being the nodes. This tree will be called the distance tree. 
Starting with b\ as the root node, each left (resp. right) child node of a node bi represents the case where bi — 1 (resp. bi — 0). 
In order to enumerate feasible inputs, it is sufficient to check whether a node 6j can take on the value or 1 depending on 
the values o f the p arent node s (valu es of the preceding variables). This can be done efficiently by using the facts mentioned 
in Remarks (3.7i, (3. 10 1 and ( |3.1 Row indices r in the LDM containing a nonzero entry in the j th column satisfy r ^ j. 



Similarly, if a row has a zero value in the j fh column then supp(r) n ({1, • • • ,n}\ supp(j)) ^ must be satisfied since a 
zero value in the j th column appears only in the row indices where at least one bit is set that is not in supp(j). Given two 
lists of columns Co and C\, and another column identified by the index u, Algorithm [2] determines whether there exists a row 
in the LDM containing a nonzero value in column u, with the condition that the values in columns Co are zero and the values 
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in columns C\ are nonzero. Algorithm [3] performs the same task by checking whether there is a row having a zero value in 



column u, under the same conditions. These two algorithms allow one to enumerate all feasible inputs to ( 23 1 by using the 
associated column indices for each input variable b t . 

Algorithm 2 Decide whether a node in the distance tree can take on the value 1. 
l: procedure Branch1(C , Ci, u) 
2: IncludeMask — /\ a 

3: if (u A IncludeMask) = then 
4: return false 

5: else 

6: for i £ Co do 

7: if (-ij A u A IncludeMask) = then 

8: return false 

9: end if 

10: end for 

li: end if 

12: return true 
13: end procedure 



Algorithm 3 Decide whether a node in the distance tree can take on the value 0. 



i: procedure BranchO(C ,Ci,u) 
2: IncludeMask = /\ a 

aeCi 

3: if {->u A IncludeMask) — then 
4: return false 

5: else 

6: for i e Co do 

7: if A IncludeMask) = then 

8: return false 

9: end if 

10: end for 

ii: end if 
12: return true 
13: end procedure 



Example. Let f{x%, • • • , x 5 ) — Xix 5 © x^x 5 © Xix 2 x 3 © Xix 2 x± © Xix 2 x 3 x i x 5 . Using Algorithm [TJ the following set of 
combined distance coefficients are obtained: 

{A3, A17, A26, A28, — 2Aig, — 2A29, — 2A30, 3A31}. 
The associated distance function formed by these coefficients is 

F(b u ■ ■ ■ , b 8 ) = 861 + 86 2 + 46 3 + 46 4 - 865 - 46 6 - 46 7 + 36 8 . 

Note that in the LDM of order 5, b\ is associated with column 03, b 2 is associated with column air, an d so on - Among the 
2 8 = 256 possible inputs to F, only 13 of them are found to be feasible as shown in the distance tree in Figure [T] In the 
figure, the values in the leaf nodes shown in boxes below denote the output of F when that particular combination of bi's are 
chosen. Each leaf node also corresponds to a feasible input of F and is called a path, denoted with a sequence of input bits. 
The value of a path is the output of F for that input. A path in the tree identifies the linear functions whose distances to the 
Boolean function in consideration are obtained by adding the same combined distance coefficients, also specifying the distance 
to these functions. As there can be more than one linear function covered by a path, different paths can have the same value. 
For example, there are six paths with value 3, four paths with value -1 and two paths with value -5 in the distance tree of the 



example function. Table IV gives a more detailed information about this distance tree. The first column of the table denotes the 
leaf node (or path) number, the second column lists the path string, the third column gives the output of the distance function 
F for the corresponding path and the last column denotes which linear functions that path is associated with. 

Table [V] shows a portion of the LDM of order 5, where only the eight columns related to the distance function of the 
example are shown. The distance tree constructed using Algorithm [2] and Algorithm [3] actually enumerates the distinct sums 
that can occur when the combined distance coefficients are added for each row of the LDM. In Table [VJ the top most row 



Fig. 1. Distance tree of F(bi , b s ) = 861 + 8f> 2 + 4b 3 + 46 4 - 8b 3 - 46 6 - 4ft 7 + 3feg. 

TABLE IV 

Distance tree data of F(bi , • • • , bs) = 861 + 862 + 46 3 + 46 4 - 865 - 4fe 6 - 4fe 7 + 3b s 



N 


Path 


F 


Associated l w 


1 


11001101 


7 




2 


10101011 


3 


X4 


3 


10001001 


3 




4 


01111111 


3 


XI 


5 


01001 101 


-1 




6 


00110111 


3 


X2 

Xl © X2 


7 


00101011 


-5 


X\ © X4 


8 


00100011 


3 


X2 © X4 
X\ © X2 © X4 


9 


00010111 


-1 


X3 

Xl © x 3 
X2 © X3 
Xl © X2 © £3 


10 


00001001 


-5 


3:1 © x 4 © £5 


11 


00000101 


-1 


2:2 © £5 
£1 © £2 © X5 

x-i © £5 
Xl © £3 © £5 

£2 © £3 © £5 

Xl © £2 © 23 © £5 


12 


00000011 


-1 


£3 © £4 

Xl © £3 © £4 
£2 © £3 © £4 
Xl © £2 © ^3 © ^4 


13 


00000001 


3 


£2 © £4 © x 5 
xi © £2 © x i © £5 
£3 © £4 © £5 

£1 © X3 © £4 © x 5 
X2 © £3 © %4 © £5 
£1 © £2 © ^3 © ^4 © £5 
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TABLE V 

Distance coefficients and related portion of the LDM for /(asi, ■ ■ ■ ,2:5) = xix 5 © x 4 x 5 © xix 2 x 3 © xxx%x^ © £122x32143:5. 



d 


1 


1 


1 


1 


-2 


-2 


-2 


3 


F 


w 


N 




8 


8 


4 


4 


-8 


-4 


-4 


3 
































h 


8 


8 


4 


4 


4 


2 


2 


1 


1 1 


10 




h 


-8 


-8 








-4 


-2 







7 


14 


1 


h 


-8 





-4 





-4 









3 


6 


2 




8 











4 





— 




— 


3 


-6 


3 













-4 





-2 


-2 


— 


-1 


-2 


9 


h 

















2 





__ 

1 


-1 


2 


11 


^6 




















2 


1 


-1 


2 


12 


h 























" 


3 


6 


13 


Is 








-4 


-4 





-2 


-2 




3 


6 


6 


I9 

















2 





__ 


-1 


2 


11 


ho 








4 











2 


— 


3 


-6 


8 


hi 























— 

- 


3 


6 


13 


I12 











4 





2 


2 




-1 


2 


9 


ll3 

















-2 







-1 


-2 


1 1 


1x4 




















-2 




-1 


-2 


12 


hs 























— 


3 


-6 


13 


lie 





-8 


-4 


-4 


-4 




-2 


— 

- 


3 


6 


4 


I17 





8 








4 


2 





1 


-1 


2 


5 


h& 








4 





4 





2 


1 


-5 


10 


7 


l\9 














-4 










-5 


-10 


10 


ho 











4 





2 


2 




-1 


2 


9 


hi 

















-2 





— 


-1 


-2 


11 


hi 




















-2 


— 

- 


-1 


-2 


12 


h3 























1 


3 


-6 


13 


*24 


A 

u 


A 

u 


A 

4 


A 

4 


u 


z 


z 




■3 
j 


-0 


6 


^25 

















-2 







1 


-2 


11 


^26 








-4 











-2 




3 


6 


8 


h7 

























3 


-6 


13 


h& 











-4 





-2 


-2 




-1 


-2 


9 


ho 

















2 







-1 


2 


11 


ho 




















2 




1 


2 


12 


hi 

























3 


6 


13 



denotes the combined coefficients Cj of the example function and the row below denotes the combined distance coefficients 
Pi, obtained by multiplying the Cj's with the representative distance coefficients (the positive value appearing in the associated 
column). The values in this row constitute the coefficients of the distance function F whose absolute maximum value is to be 
searched. The right most three columns of the table list the output values of the distance function F, the Walsh coefficients 
of / and which leaf node in the distance tree this row belongs, among the nodes listed in Table IV Note that in Table [V] 



for the rows li with wt{i) being odd, that is, the rows corresponding to the linear functions with odd number of terms, F 
outputs the negative of wh at mus t actually be computed. This is because all values in the LDM are taken to be positive as a 



and Wf ^ if wt(i) is odd. This means that the absolute maximum value of the values produced in the distance tree can be 
used to find out the nonlinearity. The maximum value appearing in the distance tree is 7 which appears in the left most leaf 
node. Therefore, the nonlinearity is 2 n — \ max \Wf (w)\, which is 16 — 7 = 9. It must also be noted that the first row of 

the LDM which is used to compute the weight is not taken into account here. Since the weight of the Boolean function can 
obtained by adding the combined distance coefficients produced in the first phase of the nonlinearity computation algorithm, it 
is sufficient to check whether this value is smaller than the nonlinearity value obtained in the second phase or not. The weight 
of the example function is F(l, • • • , 1) = 11, which is larger than 9, so the nonlinearity is found to be 9. A better use of the 
weight computed in the first phase is to set it as the best solution and make use of the optimization techniques in the second 
phase for solving the integer programming problem more efficiently. 

A. Branch and Bound Method 

Branch and bound method is a way of efficiently solving integer programming problems by early terminating the processing 
of nodes if the best solution that can be obtained from a node will not attain the maximum/minimum value whatever the 



consequence of Proposition 3.12 The values listed in column F of Table |V| correspond to — Wf ^ for rows U if wt(i) is even, 



12 



subsequent variable choices are 01 . This idea could be realized in this specific problem by computing one maximum and 
one minimum value for each variable in the optimization problem. Since the variables are processed one by one, this allows 
one to determine what the maximum and minimum change in the function could be, regardless of whether the assignment of 
inputs are feasible or not. The algorithm then can choose not to branch a node if it is guaranteed that neither of the solutions 
obtained from that node will be better than the best feasible solution already obtained. For the distance function described 



in (23 1 having k input bits, the maximum amount of change (both positive and negative) for each node can be computed as 
follows: 

maxi = 22 fl x (24) 

i<x<k, /3 X >0 

mini = Ar- (25) 

i<x<k, P x <0 

Values maxi and mini specify how much the function can increase and decrease at most, once the first i — 1 variables are 
fixed. For instance, the function can increase the most if all of the subsequent coefficients with (3 X > are added and /3 X < 
are omitted. Hence, at a particular node while constructing the distance tree, by using the maxi and mini values, it can be 
checked whether the processed node can yield a larger absolute value than the best one at hand. If not, the processing of that 
branch of the tree is terminated at that point. If the node promises to attain a better solution, the branching continues. However, 
this does not guarantee that a better solution will be obtained since an increase (resp. decrease) of maxi (resp. mini) might 
not be possible if these inputs are not feasible. 

B. Recovering the Nearest Affine Function 

Besides computing the nonlinearity, it could be as much important to identify which affine function(s) a Boolean function 
is closest to. This can be accomplished by using the path string of the nonlinearity algorithm described above. The path string 
identifies the rows in a LDM by specifying certain columns containing either zero or nonzero entries. This problem can be 
rephrased as follows: 

Given n and two sets of indices / = . . . , i^}, E — {ei, . . . , e;} where the indices are from the set {0, . . . , 2" — 1}. 
Identify the rows r in M n satisfying A/™ ■ ^ for j £ I and M™^ = for j £ E. 

Algorithm [4] outputs a list of linear functions identified by the vector x £ F£ , given the column index sets I and E. The 



algorithm makes use of Remark 3.7 and 3.11 to list the rows of the LDM satisfying the given conditions. This algorithm can be 
executed for each leaf node of the distance tree to find out the linear functions at a specified distance to the Boolean function 
in question. Linear functions listed in the last column of Table [IV] are found by executing Algorithm |4] with the column index 
sets / and E constructed from the corresponding path strings. For example, in the first row of the table, the path string is 
11001101, which makes / = {3,17,19,29,31} and E = {26,28,30}. There is only one row in the LDM whose column 
indices specified in I are nonzero and column indices specified in E are zero, and that row corresponds to the linear function 
1% — x§. The decision of whether the Boolean function is closer to a linear function or its complement can be made based on 
the sign of the Walsh coefficient. 

Algorithm 4 Enumerate the linear functions associated with a path in the distance tree 

l: procedure PathToLinearFunction(?t,, I, E) 

2: IncludeMask — f\ i 
iei 

3: for all x £ S (IncludeMask) do 

4: valid=true 

5: for all y £ E do 

6: if (->y A x) = then 

7: valid = false 

8: break 

9: end if 

10: end for 

li: if valid= true then 

12: print x 

13: end if 

14: end for 
15: end procedure 
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C. Complexity of the Algorithm and Experimental Results 

The nonlinearity computation algorithm consists of two phases. In the first phase, from a given set of ANF coefficients, the 
combined coefficients are calculated. The number of combined coefficients is equal to the number of distinct products of input 
monomials. Although this value can be as high as 2 P (p being the number of monomials) where each monomial combination 
is distinct, the actual value will vary depending on the structural relations between monomials. The expected value of this 
quantity is given in J4) in terms of n and p as 



£(l-(l-(l-g)W 
fc=l ^ 



where q denotes the probability of a variable appearing in a monomial. For randomly generated Boolean functions, q is |. 

For the second phase of the algorithm where the binary integer programming problem is solved, it is harder to give an 
explicit expression of the complexity. The difficulty of estimating the complexity is a result of the fact that it depends on the 
distribution of the values in the Walsh spectrum of the Boolean function. However, the expreriments indicate that the execution 
time of this phase is negligible compared to the first phase of the algorithm. 

The proposed nonlinearity computation algorithm is implemented in C language and execution times are measured for 



different parameters on a PC having an Intel Core2 Duo processor running at 3.0GHz. Table VI gives the average running 
times for 60-variable Boolean functions with branch and bound method being employed. In the table, p denotes the number of 
monomials, k is the average number of combined distance coefficients, i.e., the number of variables of the associated integer 
programming problem and the last column denotes the average running times of the algorithm. For each number of monomials 
in the experiments, average timings were calculated over 10 randomly generated Boolean functions. 

TABLE VI 
Timings for n = 60. 



p 


k 


Time (sec.) 


30 


20603 


1 


40 


54742 


11 


50 


112823 


49 


60 


215641 


261 


70 


354954 


973 


80 


584629 


3191 


90 


833474 


6878 


100 


1176612 


14938 



V. Conclusion 

An algorithm for computing the nonlinearity of a Boolean function from its ANF coefficients is proposed. The algorithm 
makes use of the formulation of the distance of a Boolean function to the set of linear functions. It is shown that the problem of 
computing the nonlinearity corresponds to a binary integer programming problem where techniques for efficiently solving these 
problems such as branch and bound method can be applied to improve the performance. The algorithm allows the computation 
of nonlinearity for Boolean functions acting on large number of inputs where applying the Fast Walsh transform is impractical. 
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